We have not received a response regarding the abuse report implicating resources on your account. Failure to respond could lead to possible mitigation against the implicated resources.
In order to resolve this report please reply to this email within 24 hours with the corrective action taken to cease the activity.
If you require further assistance with resolving this abuse report/complaint please see: https://aws.amazon.com/premiumsupport/knowledge-center/aws-abuse-report/
If you do not consider the activity abusive, please reply to this email detailing the reasons why.
Regards,
AWS Trust & Safety
Case Number: 170775x
--- Original Report ---
Hello,
Please review this important message regarding the security of your AWS account and take action as requested. We have received one or more reports that the following AWS resources:
AWS ID: 0426561x Region: ap-northeast-1 Lightsail Instance Name: Debian-1 Private IP : 172.2x.x.x Public IP: 13.2x.x.x
have been implicated in activity that indicates that it may be infected with malware and may be part of a botnet. We have appended the original report(s) to the end of this email for your review.
Please be aware, operating a host that is a part of a malicious network, or “botnet”, is forbidden per the AWS Acceptable Use Policy (https://aws.amazon.com/aup/).
It is important that you A) stop the reported activity and B) reply directly to this email with details of the corrective actions you have taken.
We recommend you investigate the specified instance(s) for malware and remove any identified malware to stop the reported abusive behavior. Please refer to the AWS Marketplace for partner products that may help identify and remove malware:
If you are unaware of the source of the reported activity it is likely that your Lightsail instance may have been compromised by an external actor.
The best recourse in this case is to create a new Lightsail instance from a snapshot taken well before this abuse notice was first received, for instructions on creating a new instance from a snapshot see: https://lightsail.aws.amazon.com/ls/docs/en_us/articles/lightsail-how-to-create-instance-from-snapshot
If you do not have a such snapshot, please consider creating a new Lightsail instance from scratch.
To prevent further abuse from your new Lightsail resource(s), AWS Trust & Safety has the following recommendations:
• Review Lightsail documentations on Security best practices: https://lightsail.aws.amazon.com/ls/docs/en_us/search?s=Security%20best%20practice&c=overview
• Ensure that you use strong and complex passwords for administrative access.
• Ensure that you are taking your Lightsail snapshots on a regular basis. Also consider utilizing Automatic Snapshots feature to automate this process: https://lightsail.aws.amazon.com/ls/docs/en_us/articles/amazon-lightsail-configuring-automatic-snapshots
• Ensure latest OS patches and security updates have been applied. If your Lightsail is running a content management platform such as Wordpress, also ensure their applications and plugins are kept up to date as much as possible. Any unnecessary applications and plugins should be removed.
• Consider moving administrative access ports, such as TCP 22 or 3389, to non-default ports. Also consider turning off ports assigned for administrative access entirely and turn them back on as needed: https://lightsail.aws.amazon.com/ls/docs/en_us/articles/understanding-firewall-and-port-mappings-in-amazon-lightsail
• Ensure you are monitoring Average CPU Utilization, Incoming Network Traffic, and Outgoing Network Traffic regularly and look for any abnormalities, such as unusual spikes.
Kindly note that security is a shared responsibility between AWS and you. For more information on shared responsibility model, you may go through the below link:
* Log Extract:
<<<
Please see the below details of the reported AWS IP talking with a C&C or general use of Botnet Application detection.
Risk Type Infection IP address Source Port Destination Port Server Name C&C IP C&C Domain Last Seen
Botnet Infections Wapomi 13.231.x.x 37006 799 ddos.dnsnb8.net XXX.251.106.25 2022-08-04 09:20:44
How can I contact a member of the AWS abuse team or the reporter?
Reply to this email with the original subject line.
Amazon Web Services
Amazon Web Services LLC is a subsidiary of Amazon.com, Inc. Amazon.com is a registered trademark of Amazon.com, Inc. This message produced and distributed by Amazon Web Services, LLC, 410 Terry Avenue North, Seattle, WA 98109-5210作者: 北极之大 时间: 2022-8-9 23:32
我都不鸟他作者: toot 时间: 2022-8-9 23:33
安装东西尽量手动,脚本并不好,就算没有木马,系统也会有残留,生产环境时间长了很不好作者: mmedici 时间: 2022-8-10 08:10
检查一下吧。建议删机重建。作者: 叼爆小朋友 时间: 2022-8-10 08:59
使劲跑流量就行了,别管他,反正月抛作者: sunkeinfo 时间: 2022-8-10 09:10
我是aws 专家, 我来回答这个问题 。